Skip to content

Require Credential Prompting for Remote Access in GNOME3

An XCCDF Rule

Description

By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.

Rationale

Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely.

ID
xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-87524-5
  - NIST-800-171-3.1.12

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :